Skip to content

Privacy Policy

Last updated: 7 February 2026

1. Introduction

This Privacy Policy explains how Aeterno Ltd ("we", "us", "our") collects, uses, and protects personal data when you use our website (aeternoai.com) and engage with our Model Asset platform services.

We are committed to protecting your privacy and handling your data in accordance with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and the Data Protection Act 2018.

Data Controller Details:

  • Company: Aeterno Ltd
  • Company Number: 12917530 (registered in England and Wales)
  • Registered Office: 1 Queen Square, Bath, BA1 2HA
  • ICO Registration: C1876071
  • Data Protection Officer: legal@aeternoai.com

2. Data We Collect

2.1 Information You Provide

When you contact us through our website or request a demonstration, we collect:

  • Full name
  • Business email address
  • Organisation name
  • Role (labelled "Job title" in some forms)
  • Industry
  • Country
  • Area of interest (product preferences)
  • Your message or enquiry details
  • Marketing communication preferences

2.2 Automatically Collected Information

When you visit our website, our infrastructure providers automatically collect the following as part of standard server logs:

  • IP address
  • Browser type and version (user-agent string)
  • Referring website (referer URL)
  • Date and time of access
  • Request metadata (URL path, HTTP method, response status)

When you submit a form, the following additional data is captured alongside your submission:

  • User-agent string
  • Referrer/source URL
  • IP address
  • A generated reference ID for your enquiry

We use Plausible Analytics to understand how our website is used in aggregate. Plausible does not use cookies, does not collect personal data, and does not track you across websites. All data is aggregated — no individual visitors can be identified. Plausible is an EU-hosted, privacy-first analytics service. For more information, see plausible.io.

2.3 Authentication Data

For authorised users of our platform:

  • Email address
  • Encrypted password
  • Display name (optional)
  • Phone number (optional)
  • Timezone (optional)
  • Account activity logs
  • Session information

2.4 Cookies and Similar Technologies

We use the following cookies and client-side storage:

  • aeterno-session — an httpOnly, secure cookie used for authenticated session management. This cookie expires after 7 days and is essential for platform access.
  • Theme preference — stored in browser localStorage to remember your display settings. This is not a cookie and is not sent to our servers.

We do not use any analytics, advertising, or marketing cookies. For full details of our cookie usage, see our Cookie Policy.

3. How We Use Your Data

3.1 Purposes of Processing

We process your personal data for:

  • Business Communications: Responding to enquiries and demonstration requests
  • Service Provision: Delivering our Model Asset platform services
  • Platform Security: Maintaining secure authentication and preventing unauthorised access
  • Marketing: Sending product updates and service information (only where you have opted in)
  • Legal Compliance: Meeting our legal and regulatory obligations
  • Service Improvement: Understanding market needs and improving service performance and reliability

3.2 Lawful Basis for Processing

The table below sets out the lawful basis we rely on for each processing activity under Article 6(1) of the UK GDPR:

Processing activityLawful basis
Responding to business enquiriesLegitimate interests — Art 6(1)(f)
Providing platform servicesContract performance — Art 6(1)(b)
Platform security and access controlLegitimate interests — Art 6(1)(f)
Marketing communicationsConsent — Art 6(1)(a)
Legal and tax complianceLegal obligation — Art 6(1)(c)
Website analytics (aggregate, cookieless)Legitimate interests — Art 6(1)(f)
Service improvement and market analysisLegitimate interests — Art 6(1)(f)

Where we rely on legitimate interests, we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms. You may request details of these assessments by contacting us.

4. Data Sharing and Transfers

4.1 Service Providers

We share data with trusted service providers who assist our operations:

  • Google Cloud Platform — our primary infrastructure provider. Specifically:
    • Cloud Run (europe-west2, London) — hosts our website and API services
    • Google Cloud Identity Platform — processes authentication credentials on our behalf
    • Cloud Pub/Sub — message queue for enquiry processing

    Google processes data under the Google Cloud Data Processing Addendum.

  • Email service providers
  • Professional advisers (legal, accounting)

All processors are contractually bound to protect your data in accordance with GDPR requirements.

4.2 International Transfers

Your data is primarily processed within the UK and European Economic Area (EEA). Where Google Cloud services process data outside these regions, transfers are protected by:

  • Adequacy decisions
  • Standard Contractual Clauses (SCCs)
  • Other appropriate safeguards under GDPR

4.3 Other Disclosures

We may disclose your data when:

  • Required by law or court order
  • Necessary to protect our legal rights
  • Part of a business transaction (with appropriate confidentiality measures)

5. Data Retention

We retain personal data for:

  • Enquiry Data: 2 years from last communication (unless you become a customer). Enquiry data held in downstream systems follows this same 2-year retention period.
  • Customer Data: Duration of business relationship plus 6 years for legal and tax purposes
  • Authentication Data: Duration of account validity plus 30 days
  • Infrastructure/Server Logs: 30 days (Cloud Run default retention)
  • Message Queue (Pub/Sub): 7 days (after which messages are automatically deleted)
  • Website Analytics: Plausible Analytics retains aggregated, non-personal data indefinitely. No personal data is collected or stored.

6. Your Rights

Under GDPR, you have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate or incomplete data
  • Erasure: Request deletion of your data (subject to legal obligations)
  • Restriction: Limit processing in certain circumstances
  • Portability: Receive your data in a structured, machine-readable format
  • Objection: Object to processing based on legitimate interests
  • Withdraw Consent: Where processing is based on consent

Right to Object: You have the right to object at any time to the processing of your personal data where we rely on legitimate interests as our lawful basis. Where you object, we will stop processing your data unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defence of legal claims. Where we process your data for direct marketing purposes, you have an absolute right to object and we will stop processing immediately.

To exercise any of these rights, contact us at legal@aeternoai.com. We will respond within one month of receipt. In exceptional cases involving complex or numerous requests, we may extend this period by a further two months, in which case we will inform you within the initial one-month period and explain the reasons for the extension. We may need to verify your identity before processing your request.

7. Automated Decision-Making

We do not currently carry out any automated decision-making or profiling that produces legal effects or similarly significantly affects you.

8. Data Security

We implement appropriate technical and organisational measures to protect your data:

  • Encryption in transit (HTTPS) and at rest
  • Access controls and authentication systems
  • Regular security assessments
  • Staff training on data protection
  • Incident response procedures

While we strive to protect your data, no system is completely secure. We encourage you to safeguard your account credentials.

9. Children's Privacy

Our services are B2B focused and not directed at individuals under 18. We do not knowingly collect personal data from children.

10. Third-Party Links

Our website may contain links to third-party sites. We are not responsible for their privacy practices. Please review their privacy policies before providing personal data.

11. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes will be communicated via our website or email.

12. Complaints

If you have concerns about our data processing, you have the right to lodge a complaint with:

  • UK: Information Commissioner's Office (ico.org.uk)
  • EU: Your local data protection authority

We encourage you to contact us first at legal@aeternoai.com to resolve any concerns.

13. Contact Information

For any questions about this Privacy Policy or our data practices:

Email: legal@aeternoai.com

Post: Data Protection Officer, Aeterno Ltd, 1 Queen Square, Bath, BA1 2HA

© 2020-2026 Aeterno Ltd. All rights reserved.